Discrete-Time Chaotic-Map Truly Random Number 
Generators: Design, Implementation, and Variability 

Analysis of the Zigzag Map 

Hamid Nejati, Ahmad Beirami, and Warsame H. Ali 



Abstract 

<N 

In this paper, we introduce a novel discrete chaotic map named zigzag map that demonstrates excellent chaotic behaviors and 
can be utilized in Truly Random Number Generators (TRNGs). We comprehensively investigate the map and explore its critical 
■ chaotic characteristics and parameters. We further present two circuit implementations for the zigzag map based on the switched 

current technique as well as the current-mode affine interpolation of the breakpoints. In practice, implementation variations can 
deteriorate the quality of the output sequence as a result of variation of the chaotic map parameters. In order to quantify the 
impact of variations on the map performance, we model the variations using a combination of theoretical analysis and Monte-Carlo 
simulations on the circuits. We demonstrate that even in the presence of the map variations, a TRNG based on the zigzag map 
l/") ' passes all of the NIST 800 — 22 statistical randomness tests using simple post processing of the output data. 



=3 



Q 



OS 



- 1—1 

X 



Index Terms 

Truly Random Number Generator; Current-Mode Circuits; Switched-Current Technique; Variability; Discrete-Time Chaotic 
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I. Introduction 

Chaos is a non-periodic, long-term non-predictive behavior that can be generated by certain nonlinear dynamical systems (TJ. 
The chaotic systems are inherently deterministic given the initial state of the system. The chaotic behavior is a result of the 
- i , exponential sensitivity of the system to the initial state that can not be exactly determined in practice. Chaotic waveforms 
have been extensively used in various research areas including biology for the modeling of the behavior of human organs fl2], 
telecommunications for the modulation of the signals, chaotic oscillators, and chaotic encryption of the data JT), Q, |[4|, and 
J cryptography for the security of the system 0. 
t-H . Cryptography serves as the security block for the transmission of a message in the presence of eavesdroppers |Q. The 
• security of a cryptographic system relies on the security of the Truly Random Number Generator (TRNG). A TRNG is capable 
, of producing uncorrected and unbiased binary sequences through a nondeterministic and irreproducible process [0. Many 
fSJ ■ practical cryptographic systems use a pseudo-random number generator (PRNG) as their random bit generator. PRNG is a 
~~ * \ deterministic system that produces a periodic limited-length binary sequences using a much shorter seed [5 |. The period of 
■ the generated sequence grows exponentially with the length of the seed. The output of the PRNG with length much less than 
one period demonstrates random behavior in terms of bias and correlation between the generated bits. However, the entropy 
of any sequence generated using a PRNG is limited to the entropy of the seed sequence by the data processing theorem (7). 
\ Consequently, a truly random seed maximizes the entropy of the sequence. Furthermore, the seed has to be periodically changed 
to keep the system secure. The large period of PRNG requires a large amount of storage capacity and redundant circuitry that 
makes PRNGs ineffective for high speed low cost cryptosy stems [5|. 

Software programs have been used for the implementation of TRNGs, such as time interval between keystrokes or mouse 
movements, system clock, content of I/O buffers, and operating system values such as network statistics 0, (8). Similar to 
most PRNGs, software based TRNGs generate output data using computer, which is in a large but finite number of states 
resulting in a pseudo-random output sequence 0. In order to enhance the quality of these TRNGs, a complex combination 
of different sources of randomness should be used. This combination is practically inefficient, slow, and non-integrable. 

On the other hand, hardware based TRNGs utilize inherent randomness of circuitry. The high entropy TRNG can be 
generated by the inherent randomness of the natural phenomena such as, the thermal and shot noise of the analog circuitry and 
the frequency instability (phase noise) of oscillators 0. Noise is presented in electronic circuits and it is also an important 
parameter in designing amplifiers and RF/analog systems ll9l- lfT6l . Direct amplification of the thermal noise of a resistor 
followed by a sampling stage seems to generate random sequences. However, this structure can not be used in integrated 
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Fig. 1. (a) The Bernoulli shift map. (b) Practical implementation of the Bernoulli shift map using a pipelined ADC. (c) The tent map. (d) Our presented 
discrete chaotic map, called zigzag map. 

circuits due to the sensitivity to deterministic environmental variations such as power supply signals 11171 . Most of the existing 
TRNGs are based on oscillator jitter, which is the variation of low-to-high and high-to-low transition points of the oscillator. 
If a low frequency (LF) oscillator with high jitter is used to sample the output of a high frequency (HF) oscillator, a random 
sequence can be obtained. Intel and Via use this structure in their security platforms lfj"8l . |fl9l . However, the bit rate of a 
jitter-based random bit generator is limited to about 100 kbps |20|, which is not suitable for high speed cryptosystems. The 
use of continuous-time chaotic systems has been recently proposed for the generation of random numbers [21]. However, these 
methods suffer from the high correlation between the generated bits resulting in complicated post-processing of the generated 
bits. Therefore, these methods are not efficient in practice due to the sensitivity to the deterministic environmental variations 
that deteriorates the quality of the output random bit streams. In conclusion, these methods are not efficient in practice due to 
the sensitivity to deterministic environmental variations that deteriorates the quality of the output random bit streams. 

A discrete-time chaotic map, formed by the iteration of the output value in a transformation function, can be used for the 
generation of random numbers. Simple piecewise affine input-output (I/O) characteristics have been extensively used for the 
generation of random bits, e.g., the Bernoulli map [6| and the tent map 11221 . The entropy source of a chaotic map is the 
inherent noise of the system, which is amplified in the positive gain feedback loop by the iteration of the output signal in the 
map function O. The output of the system will be unpredictable after a few first output samples. Pipelining multiple stages 
of the chaotic map circuit can increase the overall open loop gain of the system. The increased open loop gain can reduce 
the number of bits that need to be discarded in the beginning of the sequence due to the small inherent noise of the system. 
Pipelining multiple stages of the chaotic map circuit can also increase the speed of the whole system while contributing to the 
randomness and therefore improving the quality of the generated bits. The output of each stage is connected to the input of 
the successive stage. High Speed, capability of integration, and the high quality of the generated bits make the discrete-time 
chaotic maps excellent candidates for high speed embeddable random number generators. Discrete-time chaotic TRNGs are 
much faster than the jitter based TRNGs. The high speed of these systems mainly owes to the circuit implementation and 
the pipelined structure, which can increase the output bit rate. The capability of being integrated is another important positive 
point for this kind of TRNGs. 

Imperfections in practical implementation of TRNGs, so-called non-idealities, result in bias and correlation in the generated 
binary sequence of a truly random bit sequence. Hence, the post processing of the output data is required to improve the 
statistical characteristics of the bit sequence. Von-Neumann 1231 . SHA-1 l24l . and SHA-2 l25ll are the most widely used 
post-processing algorithms. All of these methods suffer from the trade off between bit-rate and the entropy of the generated 
binary sequence. Theory suggests that the knowledge of the non-ideality of the chaotic map can improve the efficiency of the 
post processing unit [26|-[28|. NIST 800 — 22 statistical test suite is a standard evaluation tool for the examination of the 
quality of the generated bit stream [29 1 . This test can only prove that a large binary sequence is not random if it fails the tests. 
This test suite can not be used for the evaluation of the true randomness of the binary sequence. It is impossible to analytically 
prove the truly randomness of a sequence of data. 

The practical application of both the tent map and the Bernoulli map can be hindered by noise and implementation errors, 
where they are unable to maintain the state of the system confined in the map [6|. In the preliminary version of this work [30] , 
we proposed zigzag map as a modification to the tent map that would make it robust to implementation variations and presented 
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a very basic implementation. The zigzag map is interchangeable with the tent map in practice while solving the confinement 
problem. In this paper, we present two implementations for the zigzag map based on the switched current technique as well 
as the current-mode affine interpolation of the breakpoints for high speed applications. The current mode circuits are capable 
of producing high gain, less distortion, and high speed compared to voltage mode circuits. Less sensitivity to switching noise 
and process variations are other benefits of the current mode circuits. The effect of process variation on the parameters of 
the chaotic map is explored and a set of Monte Carlo simulations is used to quantize the map non-idealities. The second 
circuit demonstrated less sensitivity to process variations. The post-processing of the output data of a non-ideal map passes 
the randomness test suite. 

This paper is organized as follows. In Section [II] the practical problems of the Bernoulli and tent maps are pointed out. Then, 
we present the zigzag map and investigate its chaotic characteristics. In SectionUm we explain the feasibility of implementation 
of the presented zigzag map. The deviation of the circuit I/O characteristic from the desired map deteriorates the quality of 
the output random bit sequences. This effect is modeled and analyzed in Section [V] The generated sequence is fed to a 
post-processing unit and validated against NIST 800 — 22 randomness test suite. Section [VT1 concludes the paper. 



A. Common Discrete-Time Chaotic Maps 

Discrete-Time chaotic maps are a subclass of discrete-time nonlinear dynamical systems that can exhibit chaotic behaviors 
that are formed by the iteration of the output of the system into the system in every time step. A chaotic map is deterministic. 
If the initial state of a deterministic system is exactly known, the output behavior can be predicted exactly. Impossibility of 
exact knowledge of the initial state in practice is the reason of the chaotic behavior. 

Bernoulli and tent maps are two most commonly used discrete-Time chaotic maps. The Bernoulli shift map, shown in 
Figure 02a), is a piecewise affine map that exhibits chaotic behavior. A is generated if x n < 1/2 and a 1 is generated 
if x n > 1/2. The probability of all transitions are equal to 1/2 regardless of the current state of the system. A pipelined 
ADC is used for practical implementation of the Bernoulli shift map. The I/O characteristic of a pipelined ADC is shown in 
Figure [Tfb). In practice, this map suffers from not being able to confine the output sequence in the chaotic region of (—1, 1). 
If for any reason the input value becomes slightly greater than 1 or less than —1, the output stream gets out of the map and 
will never return back to the map. Decreasing the slope from 2 and using 1^-bit ADC are the most widely solutions used to 
overcome this problem (6), ll3D . which results in very complicated structures. 

The tent map, shown in FigureQlc), also exhibits chaotic behavior l22~l . [32]. This system has been proved to be asymptotically 
stable with a uniform density distribution. is defined as (0, 1/2) and 1 is defined as (1/2, 1). The proposed structures are 
sensitive to implementation variations ll33l . A tailed tent map was presented in 11331 . which has a uniform density distribution. 
However, the process of generating bits from the tailed tent map is not straightforward. However, the post-processing required 
to compensate for non-idealities can result in complicated circuitry or reduced output bit-rate. 

B. Presented Zigzag Map 

We introduce a novel discrete chaotic map and call it the zigzag map, shown in Figure [TJd). It is notable that the output 
values of the zigzag map will alternate between positive and negative values. We will show later that the alternation between 
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Fig. 2. Bifurcation diagram for the zigzag map with bifurcation parameter m, used in (T}. The generalized zigzag map with three different values of m 
(— 1, —2, and —3) is shown in the inset. 
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Fig. 3. (a) The double breakpoint current mirrors for the generation of the I/O current characteristic of the zigzag map. (b) The I/O current characteristic 
of the implemented circuit with the parameters (x = 3.6fiA and a = 0.5fiA). 



positive and negative values will be helpful in the presence of implementation non-idealities. As shown in Figure Hfd), the 
tent map and the zigzag map have outputs that are equal in absolute value due to the symmetry but the output values alternate 
between positive and negative values in the zigzag map. Thus, the absolute value of the generated output stream is the same 
for both maps. In other words, if x\, x-i and X3 are three successive outputs of the tent map, the outputs of the zigzag map 
will be given by x\, —X2 and 23. Generation of bits from this map is straightforward. \x n \ < 1/2 represents and \x n \ > 1/2 
represents 1. The generalized zigzag map can be defined as 

f -m(x n + ] ^ l ) -Kx n <-^ 

Xn+l = I ™>X n -jij < X n < jij , (1) 

where m is a real number and m £ (—3,3). In this equation, m = —2 represents the zigzag map. This formulation can be 
used to find the bifurcation diagram of the presented chaotic map with respect to the bifurcation parameter m (Figure |2). A 
bifurcation diagram can be used to identify the chaotic behavior of a system. It can represent the possible steady state values 
of a dynamical system as a function of the bifurcation parameter. 

Without loss of generality, the initial state of the system has been assumed to be a slightly positive number, i.e., xo = + . 
We start analyzing the diagram from larger values of m. m = 3 is a critical point in the diagram. This case is at the verge 
of instability, since the system can be driven out of the map. In 2 < m < 3, the system is chaotic and stable. Chaos can be 
observed for 1 < m < 2. Since the initial state of the system has been assumed to be positive, the output value is confined to 
positive values. If the system gets out of the positive region and goes into the negative region it will get trapped in the negative 
region. For \m\ < 1, no chaotic behavior is observed. The output of the system will ultimately settle in zero. — 2 < m < — 1 
is also a chaotic region for the system. The output in this region alternates between positive and negative values. Note that 
there is no asymptotic density distribution since for odd and even time steps, the output values are in the positive and negative 
regions, respectively. In other words lim/„(a;) does not exist as n — > 00. The bifurcation diagram of the tent map is the same 
as given here for < m < 2. 

III. SWITCHED-CURRENT CIRCUIT IMPLEMENTATION FOR THE ZIGZAG MAP 

Current mode circuits have recently attracted great attention [34 1 . The signal is represented by current of branches instead 
of voltage of the nodes in the traditional voltage-mode circuits. Reduced distortion, high gain, low input and high output 
impedances, high speed, less sensitivity to switching noise and better ESD immunity are other excellent characteristics of 
current mode circuits that makes them one of the best candidates in the future telecommunications, analog signal processing, 
multiprocessors, and high speed computer interfaces [34 1 . 

In order to consider the effect of inter-die (different devices in one chip) or intra-die (among devices on various chips) 
variations, we design a current mode circuit with low sensitivity to the process variations. The symmetric double break point 
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current mirrors are less sensitive to the process variations compared to other implementation of piecewise linear I/O current 
characteristics ||35l . If we combine two different double break point circuits together, we can expect the I/O characteristic 
curve, shown in Figure |TJd). One of the current mirrors is implemented by NMOS transistors, while for the sake of symmetry 
the other one is implemented by PMOS transistors. The double break point current mirrors do not accumulate errors originated 
from process variations. It is straightforward to design a desired piecewise linear I/O curve with this circuit. The preprocessing 
part of the circuit consists of two track and hold stages that enable the iteration of the output into the system. 

The upper side of the circuit, shown in Figure HJa), can generate the double break point current mirror with the gain of 4, 
while the gain of the lower part is 2. Adding the output current of this two structures, we can generate the zigzag map by 
the I/O characteristic of the presented circuit. h, h, and ^3 are the current sources connected to the upper and lower side, 
discerning by an extra p and n index for upper (PMOS) and lower (NMOS) circuits, respectively. The values of these current 
sources are as follows: 

hp = x, h P = 2x, hp = 0, 

h n = 2a, I 2n = 2x + a, I 3n = 2a. (2) 
The I/O characteristics for x = 3.6/.iA and a = 0.5fj,A as an example is shown in Figure 0b). 

The reference current sources are implemented with resistors whose thermal noise can increase the randomness and uncer- 
tainty of the system. 

Another common method to generate discrete chaotic maps is based on the current-mode affine interpolation of the 
breakpoints [36 1. This can be implemented by the affine interpolation of the value at the breakpoints [36|. In this method, any 
affine partition of the map is implemented using one elementary block based on the detection of the breakpoints. Therefore, 
it is straight-forward to find out whether the output value is within a certain affine partition of the map. In order to obtain 
the open-loop characteristic function of the circuit, the output of the circuit was connected to a matched load with the same 
impedance as the input impedance of the circuit. The simulations were carried out with CADENCE in IBM 0.13 fim technology. 
In Figure |3jb), the I/O characteristic of the first circuit obtained by simulation is shown, x and a are two parameters in the 
map, highlighted in Figure EJb). ±2x is the required distance for the map. a is the extra length in the positive and negative 
side of the map. a = can cause a trap point at zero, while considering non zero a can remove this state from the system 
and the possibility of trapping in the zero can be zero. The causes of slight changes in the simulation results will be taken 
into account in the next section. We performed HSPICE simulations in IBM 0.13 /ira technology for the second circuit. The 
resulting I/O current characteristics of the circuit is shown in Figure |4] The small variations of the map compared to the ideal 
map will be explained in the next section. 

Four of the above maps are pipelined in a feedback loop. The noise floor of the analog circuits will set the initial state of 
the system that results in the non-predictive behavior of the system after a few first outputs. The inherent noise of the system 
is really small. However, first m runs of the system amplify the noise to a detectable range. If the gain of the open loop system 
is A, we should discard first m bit of the output stream given by m = log A (P c i/N), where Pd and N are the detecting power 
and noise power, respectively. A single stage of the system has a gain 2 and the whole system has a gain of 16. The number 
of bits that need to be discarded from the beginning of the output sequence will be about 20. 

By investigating the transient response of both circuits with an input current pulse, we demonstrated that at the worst case 
the output would settle within 1% of its final value in less than 12.5ns and 15ns for switched current circuit and interpolation 
of the values at breakpoints circuit, respectively. 




L (MA) 



Fig. 4. The expected zigzag map (dashed line) and resulting I/O current characteristic of the zigzag map of the implemented circuit (solid line) based on 
the current-mode affine interpolation of the breakpoints with the parameters (x = 3.6/j.A and a = 0.5/iA). 
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Fig. 5. The zigzag map with a fixed offset. The slope variations for (a) negative and (b) positive changes. The equivalent tent map for the (a) and (b) are 
shown in (c) and (d), respectively. The probability density function as a function of the chaotic map parameter for (c) and (d) is depicted in (e) and (f), 
respectively. 



IV. Modeling the Impact of Implementation Variations 

This section is divided into two parts. In sub section [TV- A| we derive the impact of the variations of the physical parameters 
of the presented circuit as non-idealities of the chaotic map. In sub section IIV-B1 we investigate the transition matrix of the 
underlying Markov process in the presence of variations in the parameters of the chaotic map. We also quantify the bias and 
correlation in the output bit sequence. 

A. The Main Causes of Non-Ideality in the Presented Circuit 

The circuit is based on the switched current technique. Hence, the process, voltage and temperature (PVT) variations mainly 
impact two different parts of the circuit, namely the sources of currents that are the current mirrors and the current limiter 
stages. 

In a current mirror, the current I that is supposed to mirror 7 S , source current, is designed using the ratio of the width of 
transistors W2/W1. The current in a MOS transistor in saturation region is given by 

I = l»C ox ^(V GS -V th ) 2 (l + \V DS ). (3) 
h _ W 2 L 1 l + \ 2 Vps2 

Since we are not designing in deep sub micron processes, we can neglect the effect of variations in A. We can approximate 
the variation in different process and Vds provided that the changes compared to the parameters are negligible. Hence, 

£ « ^(1 + 2|AW| + 2|AL| + 4 J^L + 2^1), (5) 

H W\ V gs — Vth t + *VDS 

where AW, AL, AV t h, and AVds are the variation in width, length, threshold voltage, and the drain-source voltage of 
the transistors, respectively. If the Vds changes are large, we should compensate that by further tuning of the width of the 
transistors. We need to investigate the worst-case variations. The impact of variations in Vds ar, d V t h is in the range of 
1% which can be ignored compared to other parameters [37], [38 . Thus, the inner die variations for width of two different 



This suggests that 
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transistors in the current mirror will play the dominant role in altering the gain of the current mirror topology. The standard 
deviation of the variations are around 5% [38]-[41|. 

The current limiter can not exactly provide the desired fixed current due to the output resistance of the transistors. This 
non-ideality results in a small variation in the slope in the I/O characteristic of the circuit, which is proportional to A and 
the bias current of the circuit. While we can reduce this effect by further tuning of the width of transistors, the variation is 
inevitable. 



B. Investigating the Effect of Map Non-Idealities on Bias and Correlation of Output Data Sequence 

We first consider a map with symmetric slope variation as in Figures |3Ja,b). We later extend to the non-symmetric case 
when we study the impact of post-processing. As discussed earlier, the ideal zigzag map has the same functionality as the tent 
map except for the alternations of the output between positive and negative values. Due to the symmetry in the map function 
and the bit generation process, the non-ideal maps can be analyzed using the maps shown in Figure [51c, d). Since the latter 
are easier to work with, we use them for the rest of the derivations. Note that without loss of generality, every chaotic map 
can be scaled to (—1,1). We assume the slope (gain) in the rising part of the map to be 2(1 + 6 g i) and the gain in the falling 
part to be —2(1 + 5 g 2)- The non-ideal map function N(x) : (0, 1) — > (0, 1) is thus given by 

„, . _ J 2(1 + S g i)x x < x b 

ly[X) \ l-2(l + 5 g2 )(x-x b ) x>x b ■ W 
where x b is abscissa of the boundary between rising and falling sections and is 

2(1 + V) 

Note that our analysis of the symmetric non-ideal map is also valid for the non-ideal tent map. In this map, bit or 1 is 
generated if x G (0, x b ) or x s (x b , 1), respectively. Throughout our analysis, we assume that variations are small, and we use 
first-order approximations for 8 g i and S g 2- This assumption is valid according to our analysis of the process variations in the 
current mirrors. Accordingly, x b can be easily shown to be 

x b r*^(l-8 gl ). (8) 

Let S be the ordinate of the end point of the map with abscissa x = 1, which is given by 

S = -(Sgl + Sg2). (9) 

The impact of x b and So is illustrated in Figure |6ja). The analysis of the two cases of S a > and S < is slightly different. 
First, consider Figure 0c), i.e., S > 0. We want to find a good approximation for the asymptotic probability distribution f(x) 
in the map. We approximate f(x) using a four step distribution, as shown in Figure UJe). Let f u denotes the approximate 
probability density at x = 1. According to the Frobenius-Perron operator, the distribution in (0, 8 ) can be given by 

fo = \fo = 0. (10) 

We can calculate the distribution in (S ,25 ), fi, as 

/i = t-j/o + = 2^ u ' 

Finally, the probability distribution for (2i5 ,4<5 ), fi, can also be calculated using the same approach to be 

113 

h = T^/i + 2~/« — 7/u- (12) 

The probability distribution in (4<5 OJ 1) is approximated using f u . Now, f u can be calculated by noting that the probability 
distribution integrates to unity, i.e., J f(x)dx = 1. Thus, 

fu = -4^r ~ 1 + 25 °- < 13) 

1 - 2d 

The results of simulation are provided in Figure |7ja-c) for different values of 8 . We can see that our approximate model 
captures the impact of the variations even for fairly large values of 5 . 

The case of Figure |5jd), i.e., S a < 0, can be analyzed similarly. The four step density distribution is shown is Figure |5Jf). 
We derive the distribution in (0, \S \) as 

fo = \fo + \fu + \fu = 2f u . (14) 



x 




(a) (b) 



Fig. 6. a) The impact of variations on the zigzag map characteristics, b) The states of the Markov chain for truly random number generation. 



The probability distribution in (\S \, 2|<J |), i.e., /q, the probability distribution in (2|<5 |, 4|J |), i.e., /i, and the distribution in 
(|45 |, 1), i.e., /2, can be calculated in a similar way. W be /i = |/„ and f% = |/ u . Finally, we have 



fu = 



1 



2(1 -6 ) 

In the case of S < 0, we have /„ < 1, i.e., the value of f(x) for x w 1 is less than unity. Again, the simulation results 
presented in Figure |7jd-f) show good agreement between the presented model and simulation results. 

We model the bit generation process using a Markov chain as demonstrated in Figure |6jb). The transition probabilities of 
the map can be derived by integration of the probability distribution of the map to form the transition matrix of the Markov 
chain as 



1 + 26 . 



(15) 



P(0|0) = 



P(0|1) = 



Jo' 1 f(x)dx 
Jo" f(x)dx ' 

iL f^ dx 



P(1|0) 



P(l|l) 



Jgb f(x)dx 
Jo" Hx)dx ' 

f(x)dx 

/J f(x)dx ' 



(16) 



where x t \ and x t 2 are the points whose ordinates are equal to Xb and are shown in Figure |5ja,b). 

We use our approximate model for the evaluation of the integrals. First, we derive p and q. i.e., P(0|0) and P(l|l). For 
fairly small variations (|<5 | < 1/16), the three regions fo, fi and fi lie in (0, xti). This is indeed the region of interest for 
our purposes. We derive the transition probabilities as functions of S g ± and 8 g 2. p and q are given by 



p = P(0|0) = \ + \s gl 

q = P{l\l) = \-\^- 



25 



82) 



(17) 



Thus far, we derived the transition probabilities of the underlying Markov chain in (fl~6*T i. Next, we demonstrate that these 
can actually be used to derive the bias and correlation in the output bit sequence of the truly random number generator 
It is straightforward to show that the bias is 



b = 



- -Pfl) 
2 V ; 



\p-q\ 
\- P - 



(18) 



Further, Ai = \p + q — 1| is the second eigenvalue of the transition Matrix. It can be shown that the correlation between the bits 
in the output sequence decays exponentially with their distance as 2~ c ™, where c = — log 2 (Ai). Note that if 8 g \ = 5 g 2 = 0, 
we will have p = q = \ and thus there is no bias (b = 0) and no correlation (c = oo) in the output sequence. 



V. Post processing 

We performed an extensive set of Monte Carlo simulations with HSPICE to determine the impact of process variations 
on the slope of I/O characteristic curve. The absolute value of the slope, characterized by m, should be 2 for the presented 
chaotic map. Monte Carlo simulation technique uses different randomly chosen values for the transistor parameters with a 
defined Gaussian distribution. We assume that the transistor parameter values are normally distributed and uncorrected with 
a standard deviation of 2 percent, which is within the range of predicted values for current and future process technologies. 
Monte Carlo simulations demonstrate that the second circuit is less sensitive to process variations; therefore we use this circuit 
for the rest of this paper. By inspecting the variation of different linear pieces of the I/O characteristic curve as the objective 
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(d) (e) (f) 

Fig. 7. The probability distribution function of the non-ideal system for different slope variations of (a) +1.25%, (b) +2.5%, (c) +5%, (d) —1.25%, (e) 
—2.5%, and (f) —5%. The thick solid line demonstrates the presented model and the thin solid line represents the simulation results. 



of this Monte Carlo simulation, we investigate that the variation in slopes are less than 4 percent. To be more accurate, the 
standard deviation of the slopes are less than 2, 4, and 1 percent for the first, second, and third linear pieces, respectively. 

Due to imperfections in practice, the existence of correlation and bias is inevitable that can be removed with post-processing 
unit. Von-Neumann, SHA-1, and SHA-2 post-processing algorithms are the most widely algorithms in practice and have proved 
to be effective in removal of the bias and correlation [21], [43 1, [44|. In Von-Neumann algorithm, the sequence is divided into 
the blocks of length two. Every 01 and 10 are considered and 1, respectively, while 00 and 11 are discarded. This results in 
a variable bit-rate that is not desired. SHA-1 and SHA-2 algorithms are proper for removing the correlation and bias from the 
bit streams. Although these methods are effective, the implementation requires FPGA or complex hardware configurations. The 
sequences of data should pass through the post-processing stage mainly because of inherent non-idealitiy factors in process or 
circuit. 

Our post-processing module is based on the method proposed by Addabbo et. al. B31 . The method relies on two main facts. 
First, bits that are located further apart from each other have less correlation. The correlation approaches as the distance of 
the bits approaches infinity. The other fact is that XOR of two independent biased sequence will result in a sequence with less 
bias. See ll46l for details. The debiasing block, shown in Figure [8] consists of a shift register of length I and an XOR gate. 
z„_;, which is the output of time n — I is XORed with di n (n) which is the input of time n. I must be large enough so that z n 
and z n +i are almost uncorrected. In practice, I can be efficiently chosen by using the estimations made in the last sections. 
This has been proved to remove the bias of the output sequence in steady state. The decorrelation block is used to remove 
the correlation of the bits with a distance of kl. Note that we take the number of stages of shift register / and the number 
of stages of the map m to be prime with respect to each other, (to, I) = 1. This will reduce greatly the correlation between 
bits of distance kl, where k is not a multiplicand of I. The presented TRNG is robust to process and circuit variations, which 
provides simple post-processing stage compared to other chaotic maps used in TRNGs. 

The output bit streams of the ideal and non-ideal I/O characteristics are tested in NIST 800 — 22 test suite and the results are 
presented in Table I. As listed in the table, before post-processing, the generated bits fail some of the tests but after passing 
through post-processing unit the generated bits pass all the tests. 

In the generation of the random bits, we consider the worst case scenario, which consists of four stages with similar I ut/Iin 
characteristics. In practice, these four stages are not exactly the same, therefore, the mismatch can enhance the quality of random 
output sequence. Utilization of four stages can also increase the total bit rate by multiplying the internal clock (track and hold 
clock) of the system by the number of cascading stages. The output bits of all stages go to a 4 bit register, known as bit 
shuffling |47l . The uniformity of the output bit stream is more than the inputs. The output of the register feed to the post 
processing unit. 

The presented chaotic map can generate random bits, which have lower sensitivity to the circuit parameter fluctuations 
caused by process variation or circuit element mismatches. In addition to low power consumption (1.42 mW), the presented 
circuit can operate in clock frequencies as high as 10 MHz with the overall bit rate of 40 Mbps. To calculate the worst case 
power consumption of the circuit, we calculate the average power consumption of the circuit with different input currents. 
Due to randomness and chaotic behavior of the presented chaotic map, the probability of the system to be in any point in the 
steady state is the same. 
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Fig. 8. The overall implementation of the presented TRNG with four pipelined chaotic maps. The post processing unit can remove the correlation and bias 
of the bit shuffled streams with decorrelation and debiasing blocks, respectively. 



TABLE I 

NIST-800 - 22 TEST SUITE RESULTS FOR THE NON-IDEAL ZIGZAG MAP BEFORE AND AFTER APPLYING THE POST-PROCESSING UNIT 



NIST-800 - 22 


Nonideal map w 


Nonideal map w/o 


test suite 


post-processing 


post-processing 


apen 


0.513673 


0.431503 


Block frequency 


0.410214 


0.94278 


Cumulative sums 


0.80785 


0.095407 


Cumulative sums 


0.975089 


0.03606 


FFT 


0.871131 


0.721176 


Frequency 


0.575479 


0.047704 


Linear complexity 


0.082259 


0.017841 


Longest run 


0.024845 


0.553323 


Non-periodic templates 


100% Success 


99.32% Success 


Overlapping templates 


0.736301 


0.510453 


Rank 


0.98771 


0.445713 


Runs 


0.044596 


0.689421 


Serial 


0.443073 


Failure 


Serial 


0.548205 


Failure 


bias 


0.04% 


0.50% 



VI. Conclusion 

In this paper, we presented a TRNG based on a novel discrete-time chaotic map, namely the zigzag map, that is capable of 
being used in high speed embedded cryptographic systems. The proposed map proved to be chaotic and has been implemented 
by switched current technology. The random bits are generated due to the transition among different points of the chaotic map. 
Pipelining four stages in a positive feedback loop, we can amplify the inherent noise of the system within a detectable range, 
which results in random number generation. A modeling methodology has been developed to predict the performance of the 
system in the presence of non-idealities. Non-ideality sources are modeled and their effect on the performance of the output 
binary sequence (correlation and bias) has been studied. The non-ideal binary stream has been fed to a post processing module 
to increase the quality of the random digits. The presented system has been demonstrated to generate random bits that pass 
the NIST 800 - 22 test suite. 

ACKNOWLEDGEMENTS 

This work was done in part when the authors were affiliated with Rice University. The authors would like to thank Professor 
Yehia Massoud for the valuable discussions, comments and suggestions that helped to improve the quality of this paper. 

References 

[1] S. Wiggins, Introduction to Applied Nonlinear Dynamical Systems and Chaos. Springer- Verlag, 1990. 



11 



[2] K. Kaneko and I. Tsuda, Complex systems: chaos and beyond: A constructive approach with applications in life science. Springer, 2001. 
[3] H. Nejati, T. Ragheb, A. Hosseini, and Y. Massoud, "A programmable input-pulse dependent chaotic oscillator," in Proc. of IEEE MWSCAS, 2007, pp. 
173-176. 

[4] H. Nejati, T. Ragheb, and Y. Massoud, "On the feasibility of bandwidth tuning in cascaded non-autonomous chaotic oscillators," in Proc. of IEEE 
MWSCAS, 2008, pp. 902-905. 

[5] A. Menezes, P. Oorschot, and S. Vanstone, Handbook of Applied Cryptography. CRC Press Series on Discrete Mathematics and Its Applications, 1997. 
[6] S. Callegari, R. Rovatti, and G. Setti, "Embeddable adc-based true random number generator for cryptographic applications exploiting nonlinear signal 

processing and chaos," IEEE Trans. Signal Processing, vol. 53, no. 2, pp. 793-805, February 2005. 
[7] T. M. Cover and J. A. Thomas, Elements of Information Theory. John Wiley and sons, 2006. 

[8] Y. Hu, X. Liao, K.-W. Wong, and Q. Zhou, "A true random number generator based on mouse movement and chaotic cryptography," Chaos, Solitons and 
Fractals doi: 10.1016, pp. 1-8, October 2007. 

[9] T. Ragheb, J. Laska, H. Nejati, S. Kirolos, R. Baraniuk, and Y. Massoud, "A prototype hardware for random demodulation based compressive analog-to- 
digital conversion," in Proc. of IEEE MWSCAS, 2008. 

[10] S. Pfetsch, T. Ragheb, J. Laska, H. Nejati, A. Gilbert, M. Strauss, R. Baraniuk, and Y. Massoud, "On the feasibility of hardware implementation of 
sub-nyquist random-sampling based analog-to-information conversion," in Proc. of the IEEE ISCAS, 2008, pp. 1480-1483. 

[11] T. Ragheb, H. Nejati, A. Nieuwoudt, and Y. Massoud, "Parasitic-aware analytical modeling of fully integrated switchable narrow-band cmos low noise 
amplifiers," in Proc. of IEEE WAMICON, 2006, pp. 1-5. 

[12] H. Nejati, T. Ragheb, A. Nieuwoudt, and Y. Massoud, "Analytical modeling methodology for ultra wideband low noise amplifiers with generalized 
filter-based impedance matching," ALOG, vol. 51, no. 2, pp. 121-127, 2007. 

[13] , "Modeling and design of ultrawideband low noise amplifiers with generalized impedance matching networks," in Proc. of the IEEE ISCAS, 2007, 

pp. 2622-2625. 

[14] H. Nejati, T. Ragheb, and Y. Massoud, "On the design of customizable low-voltage common-gate lna-mixer pair using current and charge reusing 

techniques," in Proc. of the ACM GLSVLSI, 2008, pp. 195-200. 
[15] , "Analytical modeling of common-gate low noise amplifiers," in Proc. of the IEEE ISCAS, 2008, pp. 888-891. 

[16] A. Nieuwoudt, T. Ragheb, H. Nejati, and Y. Massoud, "Numerical design optimization methodology for wideband and multi-band inductively degenerated 

cascode cmos low noise amplifiers," IEEE TCAS I, vol. 56, no. 6, pp. 1088-1101, 2009. 
[17] C. S. Petrie and J. A. Connelly, "A noise-based ic random number generator for applications in cryptography," IEEE Trans. Circuits Syst. I, vol. 47, 

no. 5, pp. 615-621, May 2000. 

[18] B. Jun and P. Kocher, "The Intel Random Number Generator," Tech. Rep. Cryptography Research Inc. [online] 

http://www. cryptography, com/resources/whitepapers . ( 1 999). 
[19] "Evaluation of VIA C3 Nehemiah Random Number Generator," Tech. Rep. Cryptography Research Inc. [online] 

http://www.cryptography.com/resources/whitepapers (2003). 
[20] C. Liu and J. A. McNeill, "A digital-PLL-based true random number generator," in IEEE PhD Research in Microelectronics and Electronics, 2005, pp. 

113-116. 

[21] M. E. Yalcin, J. A. K. Suykens, and J. Vandewalle, "True random bit generation from a double-scroll attractor," IEEE Trans. Circuits Syst. I, vol. 51, 
no. 7, pp. 1395-1404, July 2004. 

[22] J. Bean and P. J. Langlois, "A Current Mode Analog Circuit for Tent Maps Using Piecewise Linear Functions," in IEEE ISCAS, 1994, pp. 125-128. 
[23] J. V. Neumann, "Various techniques used in connection with random digits," Appl. Math Ser, vol. 12, pp. 36-38, 1951. 

[2 4] "SHA-1 Standard, National Institute of Standards and Technology (NIST), Secure Hash Standard," FIPS PUB 180-1, 1995, 

http://www.itl.nist.gov/fipspubs/fip 1 80- 1 .htm 
[2 5] "SHA-2 Standard, National Institute of Standards and Technology (NIST), Secure Hash Standard," FIPS PUB 180-2, 2002, 

http://csrc.nist.gov/publications/fips/fips 1 80-2/fips 1 80-2.pdf 
[26] A. Beirami and F. Fekri, "Results on the redundancy of universal compression for finite-length sequences," in Proc. of IEEE ISIT, 2011. 
[27] A. Beirami, M. Sardari, and F. Fekri, "Results on the fundamental gain of memory-assisted universal source coding," in Proc. of IEEE ISIT, 2012. 
[28] A. Beirami and F. Fekri, "On lossless universal compression of distributed identical sources," in Proc. of IEEE ISIT, 2012. 

[29] "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications," Natioanal Institute for Standards and 

Technology, Special publication 800-22, 2001. 
[30] H. Nejati, A. Beirami, and Y. Massoud, "A realizable modified tent map for true random number generation," in Circuits and Systems, 2008. MWSCAS 

2008. 51st Midwest Symposium on, aug. 2008, pp. 621 -624. 
[31] D. Li, Y. Jin, H. Shen, and X. Yan, "Design of Random Number Generation Algorithm," in IEEE ICCIAS, 2006, pp. 1287-1290. 
[32] T. Morie, S. Sakabayashi, M. Nagata, and A. Iwata, "Cmos circuits generating arbitrary chaos by using pulsewidth modulation techniques," IEEE Trans. 

Circuits Syst. I, vol. 47, no. 11, pp. 1652-1657, November 2000. 
[33] S. Callegari, G. Setti, and P. J. Langlois, "A CMOS Tailed Tent Map for the Generation of Uniformly Distributed Chaotic Sequences," in IEEE ISCAS, 

1997, pp. 781-784. 

[34] F. Yuan, CMOS current-mode circuits for data communications. Springer, 2007. 

[35] B. Wilamowski, E. Ferre-Pikal, and O. Kaynak, "Low power, current mode cmos circuits for synthesis of arbitrary nonlinear functions," 9th NASA 

Symposium on VLSI Design, pp. 7.3.1-8, 2000. 
[36] R. Rovatti, N. Manaresi, G. Setti, and E. Franchi, "A current-mode circuit implementing chaotic continuous piecewise-affine markov maps," Proceedings 

of the Seventh International Conference on Microelectronics for Neural, Fuzzy and Bio-Inspired Systems, pp. 275-282, 1999. 
[37] T. Fiez, G. Liang, and D. Allstot, "Switched-current circuit design issues," IEEE J. Solid State Circuits, vol. 26, no. 3, pp. 192-202, March 1991. 
[38] International Technology Roadmap for Semiconductors (ITRS). http://public.itrs.net 
[39] S. Nassif, "Modeling and analysis of manufacturing variations," IEEE CICC, pp. 223-228, 2001. 

[40] A. Nieuwoudt, T. Ragheb, H. Nejati, and Y. Massoud, "Increasing manufacturing yield for wideband rf cmos lnas in the presence of process variations," 

in Proc. of the IEEE ISQED, 2007, pp. 801-806. 
[41] , "Variation tolerant design methods for wideband low noise amplifiers," ALOG MSL, vol. 58, pp. 49-54, 2009. 

[42] A. Beirami, H. Nejati, and Y. Massoud, "A performance metric for discrete-time chaos-based truly random number generators," in Proc. of IEEE 
MWSCAS, 2008, pp. 37-40. 

[43] T. Zhou, M. Yu, and Y. Ye, "A Robust High-Speed Chaos-Based Truly Random Number Generator for Embedded Cryptosystems," in IEEE MWSCAS, 
2006, pp. 536-540. 

[44] Y.-H. Wang, H.-G. Zhang, Z.-D. Shen, and K.-S. Li, "Thermal noise random number generator based on SHA-2 (512)," in IEEE 1CMLC, 2005, pp. 
3970-3974. 

[45] T. Addabbo, M. Alioto, A. Fort, S. Rocchi, and V. Vignoli, "Efficient Post-Processing Module for a Chaos-based Random Bit Generator," in IEEE 
1CECS, 2006, pp. 1224-1227. 

[46] B. Sunar, W. J. Martin, and D. R. Stinson, "A provably secure true random number generator with built-in tolerance to active attacks," IEEE Trans. 

Computers, vol. 56, no. 1, pp. 109-119, January 2007. 
[47] A. Gerosa, R. Bernardini, and S. Pietri, "A fully integrated chaotic system for the generation of truly random numbers," IEEE Trans. Circuits Syst. I, 

vol. 49, no. 7, pp. 993-1000, 2002. 



